Skip to content

Commit 0f75098

Browse files
teacup-on-rockingchairteacup-on-rockingchair
authored
Merge pull request #14682 from svet-se/sle15-update-stig-version-to-V2R7
SLE15 Update STIG version to V2R7
2 parents 4e86ab2 + 1529c28 commit 0f75098

4 files changed

Lines changed: 116 additions & 121 deletions

File tree

products/sle15/product.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,13 +14,16 @@ profiles_root: "./profiles"
1414

1515
init_system: "systemd"
1616

17+
sshd_distributed_config: "true"
18+
1719
pkg_manager: "zypper"
1820
pkg_manager_config_file: "/etc/zypp/zypp.conf"
1921

2022
pkg_release: "5f68629b"
2123
pkg_version: "39db7c82"
2224
release_key_fingerprint: "FEAB502539D846DB2C0961CA70AF9E8139DB7C82"
23-
oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2"
25+
oval_feed_url: >-
26+
https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2
2427
2528
aide_bin_path: "/usr/bin/aide"
2629
audisp_conf_path: "/etc/audit"

products/sle15/profiles/stig.profile

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
documentation_complete: true
22

33
metadata:
4-
version: V2R6
4+
version: V2R7
55
SMEs:
66
- svet-se
77
- rumch-se
@@ -13,7 +13,7 @@ title: 'DISA STIG for SUSE Linux Enterprise 15'
1313

1414
description: |-
1515
This profile contains configuration checks that align to the
16-
DISA STIG for SUSE Linux Enterprise 15 V2R6.
16+
DISA STIG for SUSE Linux Enterprise 15 V2R7.
1717

1818

1919
selections:
@@ -70,9 +70,7 @@ selections:
7070
- accounts_user_home_paths_only
7171
- accounts_user_interactive_home_directory_defined
7272
- accounts_user_interactive_home_directory_exists
73-
- account_temp_expire_date
7473
- account_unique_id
75-
- agent_mfetpd_running
7674
- aide_build_database
7775
- aide_check_audit_tools
7876
- aide_periodic_cron_checking

shared/references/disa-stig-sle15-v2r6-xccdf-manual.xml renamed to shared/references/disa-stig-sle15-v2r7-xccdf-manual.xml

Lines changed: 80 additions & 90 deletions
Large diffs are not rendered by default.

tests/data/product_stability/sle15.yml

Lines changed: 30 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
aide_also_checks_audispd: 'yes'
2-
aide_also_checks_rsyslog: 'no'
1+
aide_also_checks_audispd: "yes"
2+
aide_also_checks_rsyslog: "no"
33
aide_bin_path: /usr/bin/aide
44
aide_conf_path: /etc/aide.conf
55
audisp_conf_path: /etc/audit
@@ -16,25 +16,25 @@ auid: 1000
1616
basic_properties_derived: true
1717
benchmark_id: SLE-15
1818
benchmark_root: ../../linux_os/guide
19-
bootable_containers_supported: 'false'
19+
bootable_containers_supported: "false"
2020
chrony_conf_path: /etc/chrony.conf
2121
chrony_d_path: /etc/chrony.d/
2222
cpes:
23-
- sle15-server:
24-
check_id: installed_OS_is_sle15
25-
name: cpe:/o:suse:linux_enterprise_server:15
26-
title: SUSE Linux Enterprise Server 15
27-
- sle15-desktop:
28-
check_id: installed_OS_is_sle15
29-
name: cpe:/o:suse:linux_enterprise_desktop:15
30-
title: SUSE Linux Enterprise Desktop 15
23+
- sle15-server:
24+
check_id: installed_OS_is_sle15
25+
name: cpe:/o:suse:linux_enterprise_server:15
26+
title: SUSE Linux Enterprise Server 15
27+
- sle15-desktop:
28+
check_id: installed_OS_is_sle15
29+
name: cpe:/o:suse:linux_enterprise_desktop:15
30+
title: SUSE Linux Enterprise Desktop 15
3131
cpes_root: ../../shared/applicability
3232
dconf_gdm_dir: gdm.d
3333
dynamic_uid_max: 65519
3434
dynamic_uid_min: 61184
3535
faillock_path: /var/run/faillock
3636
families:
37-
- suse
37+
- suse
3838
full_name: SUSE Linux Enterprise 15
3939
gid_min: 1000
4040
groups: {}
@@ -51,7 +51,8 @@ ssh_client_config_dir: /etc/ssh/ssh_config.d
5151
ssh_client_main_config_file: /etc/ssh/ssh_config
5252
openssh_client_crypto_policy_config_file: /etc/crypto-policies/back-ends/openssh.config
5353
openssh_server_crypto_policy_config_file: /etc/crypto-policies/back-ends/opensshserver.config
54-
oval_feed_url: https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2
54+
oval_feed_url: >-
55+
https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2
5556
pam_faillock_conf_path: /etc/security/faillock.conf
5657
pkg_manager: zypper
5758
pkg_manager_config_file: /etc/zypp/zypp.conf
@@ -82,23 +83,26 @@ reference_uris:
8283
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
8384
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
8485
app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security
85-
bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
86+
bsi: >-
87+
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
8688
cis: https://www.cisecurity.org/benchmark/suse_linux/
8789
cis-csc: https://www.cisecurity.org/controls/
8890
cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf
8991
cobit5: https://www.isaca.org/resources/cobit
9092
cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
9193
dcid: not_officially_available
9294
disa: https://www.cyber.mil/stigs/cci/
93-
hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf
95+
hipaa: >-
96+
https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf
9497
isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat
9598
isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu
9699
ism: https://www.cyber.gov.au/acsc/view-all-content/ism
97100
iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html
98101
nerc-cip: https://www.nerc.com/standards/reliability-standards/cip
99102
nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
100103
nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
101-
os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os
104+
os-srg: >-
105+
https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os
102106
ospp: https://www.niap-ccevs.org/Profile/PP.cfm
103107
pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
104108
pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
@@ -109,20 +113,20 @@ release_key_fingerprint: FEAB502539D846DB2C0961CA70AF9E8139DB7C82
109113
rsyslog_cafile: /etc/pki/tls/cert.pem
110114
sshd_config_base_dir: /etc/ssh
111115
sshd_config_dir: /etc/ssh/sshd_config.d
112-
sshd_distributed_config: 'false'
116+
sshd_distributed_config: "true"
113117
sshd_hardening_config_basename: 00-complianceascode-hardening.conf
114118
sshd_main_config_file: /etc/ssh/sshd_config
115119
sshd_sysconfig_file: /etc/sysconfig/sshd
116-
sshd_runtime_check: 'false'
117-
sysctl_remediate_drop_in_file: 'true'
120+
sshd_runtime_check: "false"
121+
sysctl_remediate_drop_in_file: "true"
118122
target_oval_version:
119-
- 5
120-
- 11
121-
target_oval_version_str: '5.11'
123+
- 5
124+
- 11
125+
target_oval_version_str: "5.11"
122126
type: platform
123127
uid_min: 1000
124128
xwindows_packages:
125-
- xorg-x11-server
126-
- xorg-x11-server-extra
127-
- xorg-x11-server-Xvfb
128-
- xwayland
129+
- xorg-x11-server
130+
- xorg-x11-server-extra
131+
- xorg-x11-server-Xvfb
132+
- xwayland

0 commit comments

Comments
 (0)